The PCI Security Standards Council announced last week that it is seeking feedback from participating organizations on its draft publication of ATM security guidelines. The ATM Industry Association has already expressed one point of concern about terms used in the draft.
The ATM Security Guidelines Information Supplement
It's a very long name for a very simple idea: Secure the whole machine, not just parts of it. The draft document produced by the council is its response to industry requests for a more comprehensive guide for securing ATM data. PCI Standards currently address ATM PIN pads, but not the ATM as a unit — leaving a guidance gap when it comes to growing threats such as skimming fraud.
In the absence of global industry guidelines for securing ATMs, the Council has developed a set of best practices to help operators ensure that their machines will not be compromised. These standards are based on existing standards from industries that include IT, security and payment card, among others.
The draft ATM Security Guidelines Information Supplement provides an introduction to ATM security and outlines best practices that address software, hardware and device components of the ATM.
A 60-day opportunity for review and comment
As a benefit of their involvement in the PCI community, participating organizations have the opportunity to provide feedback in the development of PCI standards and resources. The council has established a review period for the draft guidelines of 60 days, during which participating organizations can read and comment on the draft via the PO portal. The draft will then be revised and finalized before the end of the year.
"We rely on industry feedback to develop PCI Standards and resources," said Bob Russo, general manager of the PCI Security Standards Council, in announcement about the draft guidelines. "By sharing an early version of the guidelines with the PCI community, we’re aiming to ensure these best practices reflect the key challenges and areas of concerns when it comes to addressing ATM security.
Specifically, we encourage ATM manufacturers and software vendors to provide their input, as experts in the space and as those will be applying these guidelines in their everyday business."
'Standards' — or 'best practices'?
ATM Industry Association CEO, Mike Lee, is also encouraging comment before the November 13 cutoff date. Lee is urging POs to request clarification of terms used in the document; his concern is with the draft's use of the words "standards" and "best practices" interchangeably.
"These are two very different beasts," Lee wrote in an email to ATM Marketplace. "Standards need to be enforced and global standards need to be enforced globally — at great on-going cost and effort. Best practices are minimum industry security recommendations and are not enforced as such; they are subscribed to voluntarily in a spirit of self-regulation. These two approaches are miles apart."
Lee is hoping that if enough POs speak up about the standards/best practices question, the PCI SSC will clarify its intentions about enforcement and revise the guidelines to be consistent with its position — whichever it is.
"I urge the PCI Security Standards Council to specify in a transparent manner as soon as possible whether they are producing enforceable ATM security standards — which they intend to enforce — or best practices which the industry should adopt as part of a voluntary code of practice," Lee wrote. " … this confusion of terms should be cleared up as soon as possible."
For more on this topic, visit the security research center.